CVE-2020-12034: 
Rockwell Automation RSLinx Classic vulnerability analysis and mitigation

CVE-2020-12034 is a SQL injection vulnerability discovered in Rockwell Automation's EDS Subsystem Version 28.0.1 and prior, affecting multiple products including FactoryTalk Linx software (Versions 6.00, 6.10, and 6.11), RSLinx Classic (Version 4.11.00 and prior), RSNetWorx software (Version 28.00.00 and prior), and Studio 5000 Logix Designer software (Version 32 and prior). The vulnerability was disclosed on May 19, 2020 (NIST NVD).

The vulnerability stems from inadequate input sanitization in the EDS subsystem, which could allow an attacker to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (HIGH) with the vector string AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H, indicating it can be exploited from an adjacent network with low attack complexity and requires no privileges or user interaction (CISA Advisory).

Successful exploitation of this vulnerability could lead to denial-of-service (DoS) conditions or allow an attacker to manipulate the SQL engine to write or modify files on the system. The vulnerability affects critical infrastructure sectors including Critical Manufacturing, Energy, and Water and Wastewater Systems worldwide (CISA Advisory).

Rockwell Automation has released patches and recommends applying them by following the instructions in knowledgebase article RAid 1125928. Additional mitigations include blocking all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by restricting access to TCP Ports 2222, 7153 and UDP Port 44818 using proper network infrastructure controls. Organizations should also locate control system networks behind firewalls and isolate them from the business network (CISA Advisory).

The vulnerability was discovered and reported by Sharon Brizinov and Amir Preminger of Claroty to Rockwell Automation and CISA (CISA Advisory).